New Zealand organisations are at risk of taking their eye off the ball when it comes to IT security, says IDC New Zealand.\nAs organisations evolve to information led, information-centric business models, the strategic importance of a strong security governance model is critical, the analyst firm says in a statement.\nQuoting results from its recent end-user surveys, IDC says New Zealand organisations cite security as a leading strategic initiative they will deploy by the end of 2015. However, when it comes to the specific technology investments, such as those on what IDC calls third platform technologies (cloud, mobile, social and big data), security is not even in the top three list of priorities.\nIDC recommends these simple steps CIOs and IT managers can take to control their organisations' IT security:\n\u2022\tSet up good configuration with 100 per cent visibility to understand the attack surface. Risks must be prioritised to be adequately addressed relative to the organisation industry risk profile.\n\u2022\tEstablish and anchor a security budget that includes contingency funds as part of the IT strategy. Selling it to executives as an ongoing asset risk management initiative will be critical.\n\u2022\tChoose a security vendor based not only on its track record, but also on its security capabilities and risk management expertise.\n"The mindset of Kiwi CIOs is that security is perceived as a supportive, risk-managing initiative, rather than a primary solution for business goals. This is vastly different from both Australia and AP that place security as the top investment area across all new technology initiatives" says Donnie Krassiyenko, market analyst, IDC New Zealand.\n"New Zealand organisations should ensure that someone at the leadership table carries the responsibility for information and security. This will force the attention and profile required to ensure that security is well considered in all technology investment decisions" notes Adam Dodds, research manager, IDC New Zealand.\n\n"Businesses and the CIO office are signalling a strong intent to work better together. This will be achieved through an alignment of a common language. Being able to articulate risks as they relate to revenue, IP, health and safety, brand, legal exposure and brand risk will provide a sense of perspective against physical and technical investments in security.\nThe analyst firm, therefore, advises that organisations should look to categorise the security risks relative to their impact to the business and the level of the risk represented, which differs across vertical industries.\n\u201cRisk categorisation will help the security office to operate within predictable budgets and, thus, to meet expectations of the executive office," concludes Krassiyenko.\nSend news tips and comments to firstname.lastname@example.org\nFollow Divina Paredes on Twitter: @divinap\nFollow CIO New Zealand on Twitter:@cio_nz\nSign up for CIO newsletters for regular updates on CIO news, views and events.\nJoin us on Facebook.